@actions/attest
Advanced tools
@actions/attest - npm Package Compare versions
Comparing version 1.2.1 to 1.3.0
@@ -10,4 +10,3 @@ declare const PUBLIC_GOOD_ID = "public-good"; | ||
| export declare const SIGSTORE_PUBLIC_GOOD: Endpoints; | ||
| export declare const SIGSTORE_GITHUB: Endpoints; | ||
| export declare const signingEndpoints: (sigstore?: SigstoreInstance) => Endpoints; | ||
| export {}; |
@@ -26,3 +26,3 @@ "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.signingEndpoints = exports.SIGSTORE_GITHUB = exports.SIGSTORE_PUBLIC_GOOD = void 0; | ||
| exports.signingEndpoints = exports.SIGSTORE_PUBLIC_GOOD = void 0; | ||
| const github = __importStar(require("@actions/github")); | ||
@@ -33,4 +33,2 @@ const PUBLIC_GOOD_ID = 'public-good'; | ||
| const REKOR_PUBLIC_GOOD_URL = 'https://rekor.sigstore.dev'; | ||
| const FULCIO_INTERNAL_URL = 'https://fulcio.githubapp.com'; | ||
| const TSA_INTERNAL_URL = 'https://timestamp.githubapp.com'; | ||
| exports.SIGSTORE_PUBLIC_GOOD = { | ||
@@ -40,6 +38,2 @@ fulcioURL: FULCIO_PUBLIC_GOOD_URL, | ||
| }; | ||
| exports.SIGSTORE_GITHUB = { | ||
| fulcioURL: FULCIO_INTERNAL_URL, | ||
| tsaServerURL: TSA_INTERNAL_URL | ||
| }; | ||
| const signingEndpoints = (sigstore) => { | ||
@@ -63,6 +57,17 @@ var _a; | ||
| case GITHUB_ID: | ||
| return exports.SIGSTORE_GITHUB; | ||
| return buildGitHubEndpoints(); | ||
| } | ||
| }; | ||
| exports.signingEndpoints = signingEndpoints; | ||
| function buildGitHubEndpoints() { | ||
| const serverURL = process.env.GITHUB_SERVER_URL || 'https://github.com'; | ||
| let host = new URL(serverURL).hostname; | ||
| if (host === 'github.com') { | ||
| host = 'githubapp.com'; | ||
| } | ||
| return { | ||
| fulcioURL: `https://fulcio.${host}`, | ||
| tsaServerURL: `https://timestamp.${host}` | ||
| }; | ||
| } | ||
| //# sourceMappingURL=endpoints.js.map |
@@ -1,2 +0,2 @@ | ||
| declare const REQUIRED_CLAIMS: readonly ["iss", "ref", "sha", "repository", "event_name", "workflow_ref", "repository_id", "repository_owner_id", "runner_environment", "run_id", "run_attempt"]; | ||
| declare const REQUIRED_CLAIMS: readonly ["iss", "ref", "sha", "repository", "event_name", "job_workflow_ref", "workflow_ref", "repository_id", "repository_owner_id", "runner_environment", "run_id", "run_attempt"]; | ||
| export type ClaimSet = { | ||
@@ -3,0 +3,0 @@ [K in (typeof REQUIRED_CLAIMS)[number]]: string; |
@@ -50,2 +50,3 @@ "use strict"; | ||
| 'event_name', | ||
| 'job_workflow_ref', | ||
| 'workflow_ref', | ||
@@ -52,0 +53,0 @@ 'repository_id', |
@@ -16,4 +16,3 @@ "use strict"; | ||
| const SLSA_PREDICATE_V1_TYPE = 'https://slsa.dev/provenance/v1'; | ||
| const GITHUB_BUILDER_ID_PREFIX = 'https://github.com/actions/runner'; | ||
| const GITHUB_BUILD_TYPE = 'https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1'; | ||
| const GITHUB_BUILD_TYPE = 'https://actions.github.io/buildtypes/workflow/v1'; | ||
| const DEFAULT_ISSUER = 'https://token.actions.githubusercontent.com'; | ||
@@ -54,3 +53,4 @@ /** | ||
| repository_id: claims.repository_id, | ||
| repository_owner_id: claims.repository_owner_id | ||
| repository_owner_id: claims.repository_owner_id, | ||
| runner_environment: claims.runner_environment | ||
| } | ||
@@ -69,3 +69,3 @@ }, | ||
| builder: { | ||
| id: `${GITHUB_BUILDER_ID_PREFIX}/${claims.runner_environment}` | ||
| id: `${serverURL}/${claims.job_workflow_ref}` | ||
| }, | ||
@@ -72,0 +72,0 @@ metadata: { |
@@ -49,2 +49,3 @@ "use strict"; | ||
| entryType: 'dsse', | ||
| fetchOnConflict: true, | ||
| timeout, | ||
@@ -51,0 +52,0 @@ retry |
| { | ||
| "name": "@actions/attest", | ||
| "version": "1.2.1", | ||
| "version": "1.3.0", | ||
| "description": "Actions attestation lib", | ||
@@ -38,3 +38,3 @@ "keywords": [ | ||
| "devDependencies": { | ||
| "@sigstore/mock": "^0.6.5", | ||
| "@sigstore/mock": "^0.7.4", | ||
| "@sigstore/rekor-types": "^2.0.0", | ||
@@ -51,4 +51,4 @@ "@types/jsonwebtoken": "^9.0.6", | ||
| "@octokit/plugin-retry": "^6.0.1", | ||
| "@sigstore/bundle": "^2.3.0", | ||
| "@sigstore/sign": "^2.3.0", | ||
| "@sigstore/bundle": "^2.3.2", | ||
| "@sigstore/sign": "^2.3.2", | ||
| "jsonwebtoken": "^9.0.2", | ||
@@ -55,0 +55,0 @@ "jwks-rsa": "^3.1.0" |
@@ -15,2 +15,5 @@ # `@actions/attest` | ||
| See [Using artifact attestations to establish provenance for builds](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds) | ||
| for more information on artifact attestations. | ||
| ## Usage | ||
@@ -17,0 +20,0 @@ |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Improved metrics
- Total package byte prevSize
- increased by1.11%
46640
- Lines of code
- increased by0.9%
670
- Number of lines in readme file
- increased by1.69%
180
Worsened metrics
- Number of low supply chain risk alerts
- increased by100%
2
Dependency changes
Updated@sigstore/bundle@^2.3.2
Updated@sigstore/sign@^2.3.2